search

Azure / bicep

Bicep is a declarative language for describing and deploying Azure resources
MIT License
3.2k stars 742 forks source link

Using nullable parameter causes strange deployment error #12345

Closed jan-delaet closed 10 months ago

jan-delaet commented 10 months ago

Bicep version Bicep CLI version 0.22.6 (d62b94db31)

Describe the bug After refactoring one of our templates to deploy an AKS cluster and perform the required role assignments associated with it I'm running into a strange issue. After making a seemingly innocent change to the role assignment templates to use nullable parameters, it now consistently fails that part of the deployment with the following error:

The 'location' property must be specified for 'rg-aks-shared-prd-01'. Please see https://aka.ms/deploy-to-subscription for usage details. (Code: InvalidDeployment)

A template for repro is shown below, but this is basically the only thing that was changed in the template:

without nullable param, works:

@description('A description for the role assignment.')
param RoleAssignmentDescription string = '' // <= without nullable param
// ...
// ...
resource RoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid('${RoleAssignmentName}-${ManagedClusterResourceGroup_Existing.name}-${ManagedCluster_Existing.name}-${ContainerRegistry_Existing.name}-${RoleDefinitionId}-${PrincipalId}')
  scope: ContainerRegistry_Existing
  properties: {
    roleDefinitionId: RoleDefinition.id
    principalId: PrincipalId
    description: !empty(RoleAssignmentDescription) ? RoleAssignmentDescription : null // <= without nullable param
  }
}

with nullable param, doesn't work:

@description('A description for the role assignment.')
param RoleAssignmentDescription string? // <= with nullable param
// ...
// ...
resource RoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid('${RoleAssignmentName}-${ManagedClusterResourceGroup_Existing.name}-${ManagedCluster_Existing.name}-${ContainerRegistry_Existing.name}-${RoleDefinitionId}-${PrincipalId}')
  scope: ContainerRegistry_Existing
  properties: {
    roleDefinitionId: RoleDefinition.id
    principalId: PrincipalId
    description: RoleAssignmentDescription! // <= with nullable param
  }
}

To Reproduce

@description('The name of the managed Kubernetes cluster.')
param ManagedClusterName string
@description('The name of the resource group of the managed cluster.')
param ManagedClusterResourceGroupName string
@description('The subscription id of the managed cluster.')
param ManagedClusterSubscriptionId string = subscription().subscriptionId
@description('The name of the container registry.')
param ContainerRegistryName string
@description('The name of the role assignment.')
param RoleAssignmentName string
@description('The id of the role definition that should be assigned to the user principal.')
param RoleDefinitionId string
@description('A description for the role assignment.')
param RoleAssignmentDescription string? // <= This seems to cause the issue
@description('The principal id for the role assignment.')
param PrincipalId string

resource RoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
  name: RoleDefinitionId
}

resource ContainerRegistry_Existing 'Microsoft.ContainerRegistry/registries@2023-07-01' existing = {
  name: ContainerRegistryName
}

resource ManagedClusterResourceGroup_Existing 'Microsoft.Resources/resourceGroups@2023-07-01' existing = {
  name: ManagedClusterResourceGroupName
  scope: subscription(ManagedClusterSubscriptionId)
}

resource ManagedCluster_Existing 'Microsoft.ContainerService/managedClusters@2023-08-01' existing = {
  name: ManagedClusterName
  scope: ManagedClusterResourceGroup_Existing
}

resource RoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid('${RoleAssignmentName}-${ManagedClusterResourceGroup_Existing.name}-${ManagedCluster_Existing.name}-${ContainerRegistry_Existing.name}-${RoleDefinitionId}-${PrincipalId}')
  scope: ContainerRegistry_Existing
  properties: {
    roleDefinitionId: RoleDefinition.id
    principalId: PrincipalId
    description: RoleAssignmentDescription!
  }
}

Deploy the template at the resource group scope where the container registry is located. This will generate the error:

The 'location' property must be specified for 'rg-aks-shared-prd-01'. Please see https://aka.ms/deploy-to-subscription for usage details. (Code: InvalidDeployment)

Additional context N/A

jeskew commented 10 months ago

Closing as duplicate of #11914. The backend fix is not yet fully rolled out.